Privacy Policy – Studio Sayang

Last updated: 24 February 2026

Studio Sayang respects your privacy and processes personal data in accordance with the General Data Protection Regulation (GDPR / AVG), the Dutch Implementation Act (UAVG), and other applicable Dutch legislation.

This Privacy Policy explains how we collect, use, store and protect your personal data when you visit our studio, use our website, create an account, purchase a membership, or participate in our classes, treatments, and events.

1. Identity of the Data Controller

Studio Sayang
Oude Middenweg 239-B
2491 AH The Hague
The Netherlands

Email: sayangstudio.nl@gmail.com
Chamber of Commerce (KvK): 98183206

Studio Sayang is the data controller responsible for the processing of your personal data.

2. Personal Data We Process

Studio Sayang processes personal data because you use our services and/or because you provide this data to us directly.

We may process the following personal data:

• First and last name

• Gender (if provided)

• Date of birth

• Address details

• Phone number

• ICE (In Case of Emergency) contact number

• Email address

• Payment details

• Information about purchases, bookings and memberships

• IP address

• Information about your activities on our website

Additionally, depending on the services you use, we may process:

• Booking history and attendance records

• Communication history

• Newsletter subscription data

• Health-related information (see section 2.4)

We do not collect more personal data than necessary for the purposes described in this Privacy Policy.

Our booking system is operated by Trainin, which acts as a data processor under a Data Processing Agreement.

2.1 Payment Information (Mollie & Stripe)

Payments are processed securely through:

• Mollie B.V. (The Netherlands)

• Stripe Payments Europe Ltd.

We do not store complete credit card details.

Payment providers may process:

• Name

• Billing address

• Payment method

• Transaction details

These providers may act as independent data controllers for financial processing.

2.2 Newsletter & Marketing (Mailchimp)

If you subscribe to our newsletter, we process:

• Name

• Email address

• Interaction data (opens and clicks)

We use Mailchimp, operated by The Rocket Science Group LLC (USA).

Your data may be transferred outside the EU. Mailchimp participates in the EU-US Data Privacy Framework and applies Standard Contractual Clauses where required.

You may unsubscribe at any time via the unsubscribe link in each email.

2.3 Health Information (Special Category Data)

To ensure safe participation in Pilates, yoga, reformer sessions and massage treatments, we may process:

• Injury information

• Physical limitations

• Pregnancy status

• Relevant medical conditions

This constitutes special category data under Article 9 GDPR.

We process this data only:

• With your explicit consent

• For safety and suitability purposes

• For no longer than necessary

• With restricted internal access

You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

2.4 Website & Technical Data

When you visit our website, we may collect:

• IP address

• Browser type

• Device information

• Pages visited

• Cookies and tracking data

Please refer to our separate Cookie Policy for full details.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Article 6(1)(b) GDPR – Performance of a contract (e.g., memberships and bookings)

• Article 6(1)(c) GDPR – Legal obligation (e.g., tax and administrative requirements)

• Article 6(1)(f) GDPR – Legitimate interest (such as improving our services, ensuring security, preventing fraud and managing our business operations)

• Article 6(1)(a) GDPR – Consent (marketing communications)

• Article 9(2)(a) GDPR – Explicit consent (health data)

4. Why We Process Your Data

We use your personal data to:

• Manage memberships and bookings

• Provide safe classes and treatments

• Process payments

• Communicate about schedule updates

• Send newsletters (if subscribed)

• Improve our services and customer experience

• Comply with tax and legal obligations

• Prevent fraud or misuse of services

5. Data Retention

We do not retain personal data longer than necessary.

• Financial records: 7 years (Dutch tax law requirement)

• Account data: Up to 2 years after last activity

• Health intake forms: Maximum 2 years after last visit

• Newsletter data: Until consent is withdrawn

• Website analytics: As defined in our Cookie Policy

6. Sharing of Personal Data

We share personal data only when necessary with:

• Trainin (booking system)

• Mollie and Stripe (payment providers)

• Mailchimp (email marketing provider)

• Website hosting providers

• IT service providers

• Accountant or tax authorities (if legally required)

We have Data Processing Agreements in place where required.

We never sell personal data.

7. International Data Transfers

Some service providers (e.g., Mailchimp and Stripe) may process data outside the European Economic Area.

Where this occurs, we ensure appropriate safeguards such as:

• EU Standard Contractual Clauses

• Participation in the EU-US Data Privacy Framework

• Other legally approved mechanisms under Chapter V GDPR

8. Security Measures

Studio Sayang takes appropriate technical and organisational measures, including:

• SSL-secured website

• Password-protected systems

• Restricted staff access to personal data

• Secure digital intake forms

• Confidentiality obligations for staff

• Secure data storage systems

9. Photography & Social Media

During classes or events, photos or videos may occasionally be taken for promotional purposes.

We will:

• Inform participants in advance

• Obtain consent where required

• Respect objections

• Remove images upon request

10. Children’s Data

Our services are primarily intended for individuals aged 18 and older.

If minors participate in specific programs, parental or guardian consent will be required.

11. Your Rights Under GDPR

You have the right to:

• Access your personal data

• Correct inaccurate data

• Request deletion

• Restrict processing

• Object to processing

• Data portability

• Withdraw consent at any time

• Lodge a complaint with a supervisory authority in your country of residence

You can exercise your rights by contacting:
sayangstudio.nl@gmail.com

You may also file a complaint with:

Autoriteit Persoonsgegevens
https://autoriteitpersoonsgegevens.nl

12. Complaints Procedure

If you have a complaint about how we handle your personal data, please contact us first so we can attempt to resolve the matter together.

If we cannot resolve the issue, you may submit a complaint to the Autoriteit Persoonsgegevens.

13. Data Breaches

In the event of a data breach, we will:

• Assess the risk immediately

• Notify the Autoriteit Persoonsgegevens within 72 hours where legally required

• Inform affected individuals if there is a high risk to their rights and freedoms

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The most recent version will always be available on our website.